Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management Azure Firewall Azure Web App Firewall Azure DDoS Protection GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials How we protect Microsoft Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Security Engineering Portal Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

Content types

Topics

If you spent 270 days away from home, not on vacation, you’d want it to be for a good reason. When boarding a plane, sometimes having been pulled out of bed to leave family for weeks on end, it’s because one of our customers is in need. It means there is a security compromise and they may be dealing with a live cyberattack.

As the Microsoft Detection and Response Team (DART), our job is to respond to compromises and help our customers become cyber-resilient. This is also our team mission. One we take very seriously. And it’s why we are passionate about what we do for our customers.

Our unique focus within the Microsoft Cybersecurity Solutions Group allows DART to provide onsite reactive incident response and remote proactive investigations. DART leverages Microsoft’s strategic partnerships with security organizations around the world and with internal Microsoft product groups to provide the most complete and thorough investigation possible. Our response expertise has been leveraged by government and commercial entities around the world to help secure their most sensitive, critical environments.

How DART works with Microsoft customers

Our team works with customers globally to identify risks and provide reactive incident response and proactive security investigation services to help our customers manage their cyber-risk, especially in today’s dynamic threat environment.

In one recent example, our experts were called in to help several financial services organizations deal with attacks launched by an advanced threat actor group that had gained administrative access and executed fraudulent transactions, transferring large sums of cash into foreign bank accounts.

When the attackers realized they had been detected, they rapidly deployed destructive malware that crippled the customers’ operations for three weeks. Our team was on site within hours, working around the clock, side-by-side with the customers’ security teams to restore normal business operations.

Incidents like these are a reminder that trust remains one of the most valuable assets in cybersecurity and the role of technology is to empower defenders to stay a step ahead of well-funded and well-organized adversaries.

Overlooking a single security threat can create a serious event that could severely erode community and consumer confidence, can tarnish reputation and brand, negatively impact corporate valuations, provide competitors with an advantage, and create unwanted scrutiny.

That’s why our DART team also offers The Security Crisis and Response Exercise. This is a hands-on two-day custom, interactive experience on understanding security crisis situations and how to respond in the event of a cybersecurity incident. We examine our customers’ security posture and implement proactive readiness training with the objective of helping customers prepare for incident response through practice exercises.

The simulation is based on real-life scenarios from recent cybersecurity incident response engagements. The exercise focuses on topics such as Ransomware, Office 365 compromises, and compromises via industry-specific malware with complex backdoor software. Each scenario focuses on the key areas of cybersecurity: Identify, Protect, Detect, Respond, and Recover and covers a broad eco-system including supply chain vulnerabilities such as software vendors, IT service vendors, and hardware vendors.

DART basic recommendations

To help you become more cyber-resilient, below are a few recommendations from our team based on our experiences of what customers can be doing now to help harden their security posture.

Standardize—The cost of security increases as the complexity of the environment increases. To reduce the total cost of ownership (TCO), standardization is key. It also reduces the number of secure configurations the organization must maintain.

  • Domain controllers should be nearly identical to each other in both the operating system (OS) level and the apps running on them.
  • Member server groups should be standardized based on other similar or same functions.
    • File servers on the same OS with the same apps.
    • SQL servers on the same OS with the same apps.
    • Exchange servers on the same OS with the same apps.
  • Reduce the number of disjoined security products.
    • It is not possible to manage the security of an enterprise from 15 different security consoles that are not integrated.
    • Find a partner that covers multiple layers of security with integrated products.

Modernize—Consider this analogy: In WWII, the battleship was a fearsome ship bristling with guns, big and small, and built to take a hit. Today, a single missile cruiser could sink an entire fleet of WWII battleships. Technology evolves quickly. If you put off modernizing your environment, you could be missing critical technologies that protect your organization.

  • Accelerate adoption plans for Server 2016 and Windows 10.
    • Start with Domain Controllers and workstations of admins/VIPs.
    • Follow on with line of business (LOB) member servers and easy win upgrades like file servers.
    • Finalize with all other member servers and workstations.
  • Accelerate cloud adoption plans, while understanding the shared-risk model between customers’ cloud vendors and their retained risk you must continue to manage.
  • Evaluate security tools based on their ability to succeed in the modern threat landscape. Cloud-enabled security solutions need to base capability on four key pillars:
    • Endpoint telemetry—Windows, Android, iOS, Linux, etc. are the initial points from which data is collected.
    • Compute—Datacenter power. This is the compute power needed to organize all the endpoint telemetry.
    • Machine learning and artificial intelligence (AI)—Once we have all this endpoint telemetry organized, we use machine learning and AI to make sense of it.
    • Threat intelligence—Generated from the combination of the three previously mentioned pillars, the human interaction/feedback loop (the DART team) is used to make this data actionable and can help product groups course correct the machine learning and AI algorithms when needed.

Develop a comprehensive patching strategy

  • Update both Microsoft and all third-party apps.
  • Employ a software inventory solution like System Center Configuration Manager (SCCM).
  • Reboot after patching.
  • Avoid policy exceptions for business units to avoid patching where possible.
    • Short term: Enforce vulnerable machine/application isolation.
    • Long term: Adjust the acquisitions process to include a new vendor for the needed functionality.

Develop a comprehensive backup strategy

  • Always have a backup policy in place.
  • Test to ensure backups work.
  • Check to see if successful backups are online. If so, ensure they are not vulnerable to online threats.

Credential hygiene

  • Most modern attacks are identity based.
  • Read the Pass-the-Hash white papers that explains the exposure of privileged credentials on lower trusted tier systems.
  • Run through a Security Development Lifecycle (SDL) on internally developed apps to look for vulnerabilities and/or hard coded credentials.
  • Look for privileged accounts that are being used as service accounts.
    • At the very least, change them manually on a regular basis.
    • If you upgrade to 2012R2 or higher, you can use managed service accounts (MSA) where supported.

As the DART team, we have engaged with the most well-run IT environments in the world. Yet, even these networks get penetrated from time to time. The challenge of cybersecurity is one we must face together. While we hope you never have to call on our DART team, we are a trusted partner ready to help.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Microsoft Incident Response

See Microsoft Incident Response posts

Related posts

Get started with Microsoft Security

Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.

Learn how

Connect with us on social

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads